Modifying Series 11 (AK2025/ATJ2111/3/5) Device Research Thread
 

In this thead we will attempt to modify the existing s1mp3 tools to work with these new Series 11 devices with the AK2025/ATJ2111/3/5 controllers.

These new designs have a different USB and NAND flash controller, but the same ADFU protocol is used. Existing tools will be able to set these devices to ADFU mode but proceed no further.

The first thing we'll need to understand these devices more is to get a dump of the BROM. This would originally be done with s1giveio, however the existing version doesn't work for the reasons explained above. Here is a new, untested version of s1giveio which may work with these new devices:

Download s1giveio for v11 ALPHA here

THIS IS ONLY FOR THOSE WISHING TO TRY THE PROCEDURES BELOW ON A V11 DEVICE WITH THE AK2025 OR ATJ2111/3/5 CONTROLLER. IT WILL NOT WORK ON OTHER VERSIONS AND MAY CAUSE DAMAGE. THE AUTHOR DISCLAIMS ALL RESPONSIBILITY FOR THE USE OF THIS TOOL.

The commands to get a dump of the BROM in s1giveio are as follows:
This will generate a file named dump8000.txt. Post that file here as an attachment if you want to help out.

That worked well.
This is the dump8000.txt file.
I thank you for the help.

Thanks for your contribution. It would be helpful to post what the actual chip is, since there may be several different ones in the 11 series. Getting several other BROM dumps from other s11 players will help as well.

This indicates that my hypothesis about where the USB controller registers have moved is correct, and the USB still functions the same otherwise. We will now analyze the BROM to determine how the NAND controller functions.

I am not certain which chip it is that you need identified. I posted pictures of the circuit board here.


Let me know if there is anything else you need.

thanks for your help with this, I have attached my dump file.

Now my question is what can I do with it :o) I guess I will need to wait before I could use the s1res with it. Thank you for your help with all this so far though, it is always great to have people like you helping hte little guys out. I used to do Assembly Programming a long time ago but it is all starting to look like greek to me.

I was thinking, if the Utility updater (4.21) can access the player, can you uncode it or the dlls to to find out more about how it all works?

The square one.

It's a hexdump, so we convert it back to binary and then use a disassembler to get readable code. The CPU is Z80-compatible. For more information on the overall architecture etc., read the articles on wiki.s1mp3.org.

We hope to start analyzing the BROMs at the beginning of next week. Depending on the changes that have been made, the time until we can get the existing tools to work with these devices may vary, so have patience.

Great! It worked!

Here's my dump. The info about the player is inside.

Here's mine.
 

Here is my dump text file:

I have an ipod Nano 4th Gen clone, represented as 8gb. I can't tell if it has 4 or 2 GB, it seems to act up no matter what I do.

By the way, what's the safest way to open up these units? I don't see any place where there are screws to loosen.

Thanks for working on this problem.

Quote:

By the way, what's the safest way to open up these units? I don't see any place where there are screws to loosen.

Mine has two small screws in the bottom. Pull out the bottom end and then push the guts out the top. The display cover may have to be peeled off first, can't quit remember. It is just stuck on with sticky adhesive.

Mine doesn't have any visible screws. Just a metal body, and two white end caps. I suspect that one of the end caps can be pried out to reveal some screws, but I don't know which side, and I don't want to destroy it. If anyone knows the technique for these 4th gen nano clones, please post.

Mine is a 4th gen nano clone as well and I have 2 white caps. The bottom one has the screws in it though. I am guessing that popping it off should reveal any screws.

I hold no responsibility for any destruction done to your player :o)

Mine is supposed to be a 4th gen Nano clone as well. I guess they don't have to build them all the same way. My top end cap is attached to the circuit board, and so the board must get pushed out the top. However, I have no idea about what you would need to do.

Post some pictures.

I'm not too good with the physical hardware itself, but I might know how to disassemble your device.


Also, BROM analysis has started.

uncleshred, speser, and mdjava's players appear to have BROM version 4.3 dated 2008-01-18.
vicnaum2 has a slightly older version 4.2 BROM with date 2007-10-20.

These two versions are slightly different and we will analyze both. Thank you for your contribution.

:D Great news. Keep us posted.

Pictures of my clone
 

Here are pix of the clone with no visible screws. Looks like one plastic end cap or the other must pry out. Probably the bottom one.

Dumps of 8GB and (new) 4GB
 

Please find two dumps. One is my own old (1 year) 8GB Zolid player. The 4GB is from june 09 from
my daugther. Hope you can make an upgrade so we can exchange firmware :p

Dump AK2025
 

Hello, here is a dump of my player, which has an AK2025 (SA30WBA1CJ) Chip inside. Would be nice if I could use the existing s1mp3 tools with my player in future. Thank you for your work! If I could do more for help you, let me know!

my dump
 

Hi! I'm new in the forum.
I'm Brazilian and has just bought an fake 16gb MP4 from ebay.
It's actually a 2gb MP4, series 11.

Here are the informations:

MP3 Player
XID_2025
2009-01-15
9.5.54
2008-09-05

AK2025

Flash:
SAMSUNG 904
K9GAG08U0M


Does anyone know how to make it show only the real 2gb memory? It shows 16gb, but cracks if I upload more than 1.8gb.
I've tried to format using the MP3 Format Tool and get worst: it created a second drive unit and the first has now only 21mb. I'm not getting sucessfull removing the second drive unit.

Hoping to help with the dump and get helped with my problem.

Thanks!

my dump
 

sorry for my english, i'm italian boy?

my dump...and now? i have semaphore timeout error v9

Hi, I'm new to the forum, I have also been scammed by one of the HK sellers on ebay.
Just bought a 16GB mp3/mp4 unit and tried to upload by music. It basically screwed up after it reached about 2GB and now I can't even delete the folders I created on it.

I have used the s1giveio on it and dumped mem to a txt file. Does not contain much but you ppl might be able to help me format the disk space and I can't do it using the 'Mp3 player utilities' it says something about 'disk encrypted'

My unit looks exactly like other member 'mdjava' pictures.
What I want to achieve is to get it report the actual size and then may be flash the firmware with something better.

Hope you ppl can help with this.

Fra3
Use Google and look for a program called H2Testw_1.4. I also purchased a 16GB. This tool indicated 1.8GB or close to 2GB of actual flash memory.

I tried the procedure on my chipod that contains a ATJ2115F, TEA5767-VDLD60 and the flash memory of Samsung K9HCG08UIM-PCB0 which is 8 GB (64 gigabit).

I connect the player on usb but I'm unable to set the player into " firmware update mode".
I opened the unit, but don't know which pins to short.


Opening the unit was easy, reassembling was hell and you should take care that the buttons (metal parts) will not slide under their adhesive tape, rendering your player quite useless when it is assembled.

Pictures are attached !

The Reset pin on the AK2025 is pin (6), I don't have data on the chip you have in your picture.

AK2025 firmware extract
 

Has anyone been able to extract and modify firmware from unit's with the AK2025 controller yet? This thread has been going for a while now and does not seem to be going anywhere.

here is mine ...... mine was also a ipod nano clone 16gb but was only 256mb heh bin and text included ..trying to find the data sheets on the ak2025 ..did find one but everything was replaced with dots


is it just a mater of writing soething in z80 loading into mem and executing it to grab the flash.. move so much rom to mem then read the mem??

coupla things I have found out about the player...

fake "touch shakeable" 4th Gen nano looking thing....with 30 pin connector.
s/n 6u734vmxyop[
model no. a1199emc / no. 2115

the bottom has a thin glued-on cover that hides 2 screws...

Also, to force ADFU mode, hold the Play/Pause / down button while plugging in USB cable ....
so no need to disassemble to short the memory chip....

Also, I've attached a zip file of the newest adfu driver i've found with the updated inf....you may hafta explore the USB ADFU if its not autodetecting and replace the ff## in the file ....

well i guess i can't attach a file that big....i'll at least include the .inf

email me with details....

Here's the dump8000.txt file

Ipod nano 4g clone, AK2025 based, with 30 pin connector (only USB-related lines seem to be connected)
Board ID: GOLTONG G-25N_Key_V0.2
Board manifacturing date: 2009.04.30

Flash chips: 2 x SAMSUNG 905 K9GAG08U0M PCB0 (2 GB each, 4 GB total)

I attached a zip with the BROM dump in binary and text format.

re: my chipod...
 

turns out it's a 2.0gb///

if you're stuck at the ADMINISTR 00 MB thing,

use the disktool to create an encrypted partition to bring the drive down to "real" size...

I had to make the partition 5954 MB and then the thing showed ...

ADMINSTR 1968 MB ...

that was the max.

one way of telling is if both "disks" re mount properly in explorer.

if you get the error USB device had problems message .. your encrypted partition isn't big enough ....

YMMV :confused:

Source Code
 

Hi can you share the changes you made to the s1giveio to read the version 11 !

Hi Guys

Is this research still on going?

Please advise.

Thanks.

Here is my dump(see attachment). This dump is from my 2nd fake ipod (AK2025 16GB) which is still able to be detected by my PC.

For my 1st fake ipod (AK2025 16GB), my PC cannot detect this device and whenever connected with same USB cable, it keeps asking for USB driver. I tried ADFUUpdate.inf (from jaf0) but still no luck.

Please help.

Alright, enough BROM dumps for now. I think we have more than enough.

I still have a ton of Series 9 research and documenting to do.

plz sir hellp me i need mp3 firmware.

Board id smd-atj2111 ver.1.1

This seems about the best thread to help me with a AK2025C nano clone.

When I press and hold the play button and plugin the usb, Windows sees the ADFU interface. I have loaded two different ADFU windows drivers and they seem to work. I have tried 3 different versions of s1giveio (v13/v14/the alpha version about which is dated 2009 and seems the latest). s1giveio just does not see the device. Device has an Apple icon on its display. Problem is with the internal flash; it was supposed to be a 4Gb device, but using the MP3 disk tool to test it, turns out its a 2Gb device. I resized it and it all seemed ok, but it would not keep its FAT32 disk layout; windows kept wanting to reformat, so maybe it needs to be slightly smaller? So I tried reformat under Linux, but from what I gather it needs to be encrypted. After the Linux reformat, unit fails to startup, but keeps rebooting. Guess its very unhappy about the disk format. So I want to dump its firmware and then try and fix its disk again.

Opened up the unit and it has the following chips in it:

Battery: 3.7V 140mAh Aman-302030
Main chip: AK2025C SA90QAC OIG
Flash: 1x Hynix H27UAG8T2ATR 16Gbit (2Gbyte; not 4Gb as per the sticker)
Radio chip: Comlent CL5767P
Goodix capacitive/touch sensitive chip.
Board: CB-2518-2-KEY CBD
FW version: 9.5.54.

Probably need a break from looking at this and to come back to it later, with a new approach :)

Also tried winxp-32 in virtualbox and win7 32bit. Also tried the s1res program to extract the firmware. Seems to be nothing can see the device, apart from Windows!

-- 2 years go by -- where is the update?
 

I just got a new 1" mp4 (ipod gen6 clone ?). Just bought off ebay, and it arrived off the mail truck last week (sept/2012).

It says it has 8 Gb storage. Doubt I'll ever use all of it. (I've got a nice old 3.7" mp4 that has an SD-card-slot which I use for vid-watching on the go).

Mainly I bought this 1" ch'ipod so I could clip it onto a watch-band and basically modify into custom LCD-display type watch. It would still have mp3/mp4 abilities... maybe a Star Trek TNG type LCARS display... but that's all unrelated to the main reason for this post.

I can't even start to hack the it cause no one anywhere has firmware support for series 11.

Data (as it shows from its menu):

2011/11/29
1.0.04
2011/12/02
as211a_v1003

and from easychip and chipgenius I get:

actions hs usb flashdisk
atj211x

As you can see, its one of these "relatively new" series 11 chips.

BUT THE ONLY INFO I CAN FIND on where the research is going is easily dated 2010 or so.

As you can imagine, it's now September 2012. Where are our updates? Did it turn out that the new chip setup completely prevents you from updating something like s1res to work with the new series 11?

-- my guess on the old system (v3~v9) vs new system (series 11)

I'm guessing the new format is quite different from the older versions. Originally you had only what, one chip to deal with? It had two sections to it, the firmware (the menu, graphics to display menu, battery-charge level graphic, etc), and the user-accessable storage area (for mp3/mp4/jpg/txt type files).

And the new setup must be almost like having two chips; one with firmware, one with storage and a compression algorithm; and the second chip has all the storage. That would explain why my mp4 has TWO dates listed for firmware.

Anything windows sends or receives probably basically goes to the first chip, gets compressed (or uncompressed) and then stored on the second chip. Guessing there's no direct access to the first chip (its been specifically built and coded to sit like an invisible piece of glass to the end-user. Only the manufacturer is supposed to know how to access it.)

Even if its still mainly one chip, it acts like two chips. Windows XP/Vista shows the device as being hacked to show 8 GB storage, but then if you format it it'll show only 2 GB ... cause basically the "hidden chip" acts like a tiny 7-zip (or winrar/winzip) type program (from our point of view).

So okay, maybe in reality the new series 11 doesn't really work that way, but I'm just trying to give an easy-to-understand basic-picture type explanation. It would also explain why so many ppl have "delay" issues with load-times and "crash/stall" issues with larger files... cause the file needs to decompress to play, basically get unzipped and temporarily-stored in the free space. (Would explain why a 30-second video plays fine, but the moment you try to save or load a 1+ gig video to the supoosed 8 gig storage the device has problems... its kind of like the old "not enough free RAM" issues we had back in the old 386/486 cpu days.)

Flash memory isn't the same as RAM memory. It won't matter if your mp4 has 16 gig of flash storage if its only got a tiny 640 mb of ram (exagerating here, but you get the idea. Would be a bit like trying to read the data off a DVD with only your own eyes instead of using a DVD-player to decompress/decode it and TV to display it).

-- oops, sorry ---

Lol, didn't mean to go on so long. Sometimes I just get a great idea and it comes out in that "sounds a bit like a rant" effect when I try to explain it.

Anyways ... updates?

http://mympx.org/forum/289458-post1.html

here a link to a firmware that maybe can be crossflashing to an other player...

unfortunately s1res can't open it :( any suggestions?